Hello,
thank you for the nice solution you provided with Selinux.
I have two issues:
1)
I use Centos 5.2 which clones Redhat Enterprise Linux. I use the
targeted policy.
Postfix and dovecot shares the certicates. I solved the problem in a
way that I copied the certificates and set the corresponding context.
I don't like this approach. Alternatively I can use the normal
audit2allow approach to allow postfix access to dovecot or vice versa
but I would like not to give them this right.
The best solution is to create a new context which can be accessed by
both domains.
With the new module approach, how do I start to write a new context
type? It is probably simple but I don't find the way to start by reading
the documentation on the net.
2)
I am actually a Java developer running my own Linux server, so I am far
away from being a Linux expert.
My feeling is that the documentation is really hard to follow.
It was hard to find out how to interpret the audit.log. The only
location to explain the different attributes seams to be
http://seedit.sourceforge.net/doc/access_vectors/
<javascript:void(0);/*1221395834258*/>
But still some documented log entries would be fine, e.g. what does a
socket connect require, what does a search for the config file in /etc
require, ...
I found the tip to use sealert -a on the
http://wiki.centos.org/HowTos/SELinux <javascript:void(0);/*1221395813896*/>
I found the statement do 'cat audit.log | audit2allow ...' but don't
trust the result somewhere. But well, if I shouldn't trust, I would
appreciate to analyse as well.
Your wiki does note
http://people.redhat.com/dwalsh/SELinux/Presentations/ManageRHEL5.pdf
<javascript:void(0);/*1221395820244*/> which is a good resource after
having understood the basics
The next page told me about sesearch, which is a very important tool IMHO.
http://www.durchmesser.ch/wiki/SELinux
<javascript:void(0);/*1221395840703*/>
I still have no idea how to find information on the different macros
which where noted somewhere.
From my beginner point of view, I noted my steps and resources on my
blog at http://www.laliluna.de/blog/
To summarize, I would appreciate a somehow more centralized complete
documentation, much more oriented to practical use cases.
Best Regards
Sebastian
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list